Nonconformity and Corrective Action Process
This is the Nonconformity and Corrective Action process that goes together with the ISO 27001 App for SharePoint.
The Information Security Manager is responsible for the overall control and operation of this procedure and for coordinating and processing all Non-Conformance Reports.
Managers are responsible for progressing Non-Conformance Reports that are capable of resolution within their area, and forwarding them, and others, to the Information Security Manager.
When a problem or potential improvement is identified, each member of staff has a duty to inform their Manager and/or the Information Security Manager of the issue.
Any employee or third party who becomes aware of an issue which does not meet the defined approach and standards, or which has the potential for such an adverse effect, must raise a Non-Conformance Report immediately and forward it to their manager or Information Security Manager.
The Information Security Manager logs the issue on the ISO 27001 App for SharePoint and assigns an owner
The owner completes the root cause analysis, containment action and corrective action. A timescale to correct the issue is determined, dependent upon the effect the issue is likely to have. The agreed actions may rectify and prevent recurrence of the issue, or the consequences can be accepted (link to risk).
Timescales for completion should have regard to the cost/benefit of the non-conformance and other business priorities.
The Information Security Manager will regularly monitor the progress of outstanding Non-Conformance Reports. If any action has not been completed by the previously agreed date, he/she will agree and record new actions and/or dates. If not satisfied that achievable progress is being made, they will escalate the matter to higher line management responsible for that area.
Non-Conformity Reports will be closed down by the Information Security Manager once the issue has been addressed and proof of consideration to preventive measures can be demonstrated; this may result in a review by scheduled or additional Internal Audits.